I have inherited a Microsoft network with 2 AD hosts running on MS-Windows 2012 core. Up until a week ago it was doing its job, but since then there have been issues with logging in and accessing network shares. While one AD host appeared to be behaving as usual, the other one would not play ball. Attempting to access it via remote powershell:
enter-pssession : Connecting to remote server ad1 failed with the following error message : WinRM cannot
process the request. The following error occurred while using Kerberos authentication: Cannot find the computer
ad1. Verify that the computer exists on the network and that the name provided is spelled correctly. For
more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ enter-pssession -computername ad1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (ad1:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
After much fumbling, I was able to access it by....
Set-Item WSMan:\localhost\Client\TrustedHosts -Value '10.1.0.64'
$cred = get-credential
enter-pssession -computername 10.1.0.64 -credential $cred
Despite being a domain controller host, my session was unable to access any AD related functionality:
[10.1.0.64]: PS C:\Users\symcbean\Documents> Test-ComputerSecureChannel
Cannot verify the secure channel for the local computer.
Operation failed with the following exception: The specified domain either does not exist or could not be contacted.
+ CategoryInfo : OperationStopped: (ad1:String) [Test-ComputerSecureChannel], InvalidOperation Exception
+ FullyQualifiedErrorId : FailToTestSecureChannel,Microsoft.PowerShell.Commands.TestComputerSecureChannelCommand
A DNS lookup for _ldap._tcp.$DOMAIN SRV records returns both AD servers. Running get-AdDomain also gives an error:
[10.1.0.64]: PS C:\Users\symcbean\Documents> get-addomain
Attempting to perform the InitializeDefaultDrives operation on the 'ActiveDirectory' provider failed.
Server instance not found on the given port.
+ CategoryInfo : InvalidArgument: (NTSERVDOM:ADDomain) [Get-ADDomain], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
ands.GetADDomain
Running the same command on my desktop PC, I see a slightly different error:
PS C:\Users\symcbean> get-addomain
get-addomain : Unable to contact the server. This may be because this server does not exist, it is currently down, or
it does not have the Active Directory Web Services running.
At line:1 char:1
+ get-addomain
+ ~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (NTSERVDOM:ADDomain) [Get-ADDomain], ADServerDownException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADDomain
The NtDs, NtFrs, Kdc, IsmServ & DNS services are all running on the host. I can complete a TCP handhsake with ports 3128, 636 & 9389. What is wrong? What should I look at next?
0 Answers